Somebody over on Reddit [1] went through all the submissions (there was a consultation period) and summarised and tallied them [2]. Fully 99%+ of submissions were against the bill. A sad day for democracy indeed. A church in Tasmania was in favour, because child pornography.

Lots of people reporting that the offices of MPs and senators were inundated with calls today and over the last few days. Twitter was on fire too. Ignored, just like the expert testimony before the PJCIS. Who do these fools think they were representing?

The US government and their agenda to spread similar laws in their country and across the world.

Labor was always on board with the core of the legislation; likely as they were aware of some unreported Five Eye's agreement that Australia will be the 'thin edge of the wedge' to introduce such laws worldwide.

Any amendments proposed wouldn't have changed the goal and was simply the basis for some political theatre to look like such a law has been considered and debated by the politicians. The outcome had already been decided a lot earlier than that point.

Voters? I don’t mean to be snarky, but while Tweets, submissions and letters may inform the content of bills in democracies, but the counts of these are not numerically representative of much, apart from the feelings of people who feel strongly about an issue.

The same interests they are always representing. Themselves. The organisations and lobbyists that got them voted in. The organisations they're looking forward to offers of high-priced consultancies and directorships after the next election.

Don't forget the voters who elected them. Do you see the voters running to the polls and voting for someone else when crap like this gets passed? Of course not. Therefore, the voters implicitly consent to it.

Oh hey, pwnies from reddit here! It wasn't just me, it was myself and a bunch of my coworkers over at Atlassian. As one of the larger Australian tech companies, many of us are somber today to see this passed.

Hard to say. The final text of the bill with the amendments that got added this week haven't been published officially yet (https://www.aph.gov.au/Parliamentary_Business/Bills_Legislat... only the first reading is available). Once it is we'll have to do a full review from legal - it's something a bunch of us are wondering internally right now. There are a lot of loopholes in the bill, so it's hard to say what things we'll be required to do, if any. The bigger impact will be on the world view of the tech scene in Australia. Needless to say this is very damaging, and there are concerns that we wont be able to handle any European data in Australia as it could be a potential violation of GDPR. Again though, that will have to wait until we finish the legal review of the bill and how it impacts us.

In talking with some other companies, some of them are looking at potentially moving any role that would have the ability to compromise encryption outside of the country. That way there'd be no way any employee could be legally forced to implement any backdoors or weakening of encryption. That's an extreme measure and is probably overkill right now as the loophole that states you don't have to do anything to weaken your security will likely be used as a challenge against building in any backdoors. We'll have to wait and see how things pan out.

> That's an extreme measure and is probably overkill right now as the loophole that states you don't have to do anything to weaken your security will likely be used as a challenge against building in any backdoors.

I saw that, but another part of the bill that I've seen (on a cursory review, and as a non-professional) is the sweeping, extreme secrecy measures surrounding the execution of any part of the bill.

Basically, my understanding is that you can't tell me as a customer if you've been required to compromise my privacy.

So say you even take the extreme measure and ship some sensitive roles overseas. If for any reason that's not enough, and your government requires you to surrender some of my data, then you will be legally unable to tell me.

I've read an interpretation that indicates that all Australian citizen employees are now essentially compromised, as they could be compelled under penalty of jail time to insert backdoors into an application without informing their employers.

>The Synod has some hesitancy about ‘safeguarding national security’ being one of the objectives of the notices, as it is not clear what additional activities this captures that are not criminal activities. For example, notices to address terrorist activities are already about enforcing criminal laws as would be notices targeting foreign espionage. We have a concern that ‘safeguarding national security’ might mean the desire of a government of the day to target civil society groups and individuals that oppose its policies or to target whistleblowers that expose wrong-doing by the government of the day. It would be good if the explanatory memorandum of the Bill includes an explanation of what non-criminal activities are intended
to be caught under ‘safeguarding national security’ under the Bill.

I submitted comments during the review period, but I just got an automated response asking me if they could publish it -- long after all the "town hall" discussions. They clearly didn't give a fuck what the Australian public wanted.

There was 300ish responses. The tech community and savvy individuals are strongly against it, but the vast majority of people don't care or absolutely don't understand what's at stake here.

As with most deeply technical issues, it is hard to communicate to the general population exactly what the proposed problem and solution is, so the politicians are allowed to freely pass legislation (without understanding it themselves mostly) without much opposition besides the vocal minority.

> 317ZG Designated communications provider must not be required to implement or build a systemic weakness or systemic vulnerability etc.

> (1) A technical assistance notice or technical capability notice must not have the effect of:

> (a) requiring a designated communications provider to implement or build a systemic weakness, or a systemic vulnerability, into a form of electronic protection; or (b) preventing a designated communications provider from rectifying a systemic weakness, or a systemic vulnerability, in a form of electronic protection.

> (2) The reference in paragraph (1)(a) to implement or build a systemic weakness, or a systemic vulnerability, into a form of electronic protection includes a reference to implement or build a new decryption capability in relation to a form of electronic protection.

> (3) The reference in paragraph (1)(a) to implement or build a systemic weakness, or a systemic vulnerability, into a form of electronic protection includes a reference to one or more actions that would render systemic methods of authentication or encryption less effective.

These limitations would seem to imply that the bill can't require a "systemic weakness", either by introducing a new one or prohibiting the patching of an existing one, which would seem to suggest that end-to-end crypto wouldn't be affected.

Is this a correct reading? Or are there concerns that the government might, say, require end-to-end crypto to be vulnerable to a government-held golden key?

---

Edit: Part of the text,

> to implement or build a new decryption capability in relation to a form of electronic protection

There are so many loopholes in this thing. One predominant thing to keep in mind is the legal onus that is put on a company that does not comply.

The basic gems are that I got from reading the draft legislation was:

- If you have server side encryption, & we want you to decrypt a particular person's data, then we expect you to do so - ad infinitum.

- If you do client side encryption then we expect you to put into place a system that allows us to decrypt a particular person's data. (One assumes that a modification should be made for the particular client such that their data can be gathered in an unencrypted manner).

So, irrespective of the caveats that you've mentioned, the bill still stands. The caveats you've mentioned are the standard bait-and-switch style legalese, to make it sound more palatable. I'd assume that in reality, it's up to the company (at their own legal cost) to prove that what needs to be created is in fact, a back door.

"The Director-General of Security, the Director-General of the Australian Secret Intelligence Service, the Director-General of the Australian Signals Directorate or the chief officer of an interception agency may give a technical assistance request to a designated communications provider.
• A technical assistance request may ask the provider to do acts or things on a voluntary basis..."

Note that an interception agency also includes "the Police Force" p9

It later states that if a provider willingly complies:

"an officer, employee or agent of the provider is not subject to any civil liability for, or in relation to, an act or thing done by the officer, employee or agent in connection with the act or thing mentioned in paragraph (b)" p17

Meaning, you're up for civil charges if you fail to respond to a non-warrant request.

I don't see how you're up for civil charges if you fail to respond. It's voluntary. The line about not being subject to civil liability sounds to me like your employer can't fire or sue you for undermining the security of their product if you're doing so in response to a request.

That's how I interpret it too. Though does that mean they can contact an employee directly, rather than going through the company to have the backdoor installed? That's how it sounds to me, since otherwise why would you bother with this provision.

And if that's the case, software really is dead in Australia. You can't trust an Australian company, even if their leadership says they've never received a request, because one of their employees may have.

There are three kinds of notices. Only one is voluntary (Technical Assistance Request). The other two (Technical Assistance Notice, Technical Capability Notice) are both mandatory and carry several hundred penalty unit punishments for non-compliance.

It doesn't need a warrant, and the requirements are varied. None of them require judicial review.

* TARs and TANs both generally require that an agency be investigating a serious crime (one that takes). There are some toy protections against abuse but they're basically meaningless (the AG or chief officer needs to be "satisfied" that it's reasonable and a few other token requirements -- need I remind you that we imprison refugees in sub-human conditions without the right to a trial, so "reasonable" is a stretch).

* TCNs are even more general. They can be done purely "in the interests of national security".

History will most likely remember these people as the completely incompetent board of director of the fossil fuel industry that presided over the final execution of the planet's habitable eco system. The fact that they were politicians or even the Prime Minister for 5 minutes briefly in late 2018 won't even be a footnote...

Which, of course, leads on to a somewhat less specifically targeted "Bulk equipment interference", because once we have the capability, it'll _surely_ not get misused, right? I'm eagerly awaiting the hilarious verbal gymnastics they'll come up with to make a Technical Assistance Notice compelled "Bulk equipment interference" capability some how not a "systemic weakness"... I'm sure that'll end up in linguistics textbooks and industry jokes for decades...

We won't see any of that hilarious verbal gymnastics because any individual would be crazy to try to fight one of these orders and face 10 years in jail.

The govt will just secretly compel them, and their activity stays secret - except the bad guys can now hack our compromised infrastructure and there will be inevitable leaks of data and exploits, just like Wannacry which was originally an NSA exploit.

According to the proposed amendments (which weren't included) that had definitions, their definition of a systemic weakness is different to everyone else (yet another example of the doublespeak that this Bill contains). A systemic weakness is a weakness that is targeted, even if in order to target it you need to weaken your entire architecture in order to fulfil it. And to paraphrase the Greens MP, "the target could be as vague as all Victorians or everyone over the age of 30 and still not be considered a systemic weakness".

That’s the whole point of this legislation, and one of the reasons the legislation specifically supports the death penalty is to allow this legislation to be used by Australia to support the USA, where the death penalty still exists.

Yes, it is specifically mentioned in this legislation, and is specifically called out as indication that the foreign government’s request warrants action under this legislation. That is to say that given the foreign government seeking information that will lead to a death penalty on conviction, the Attorney General is compelled to issue an instruction under this legislation.

The Australian Government has historically been somewhat arrogant in any area of technology.

Their attitude, in this case and others, is similar to that of management at a company with a poor technology culture. "we're in charge and we're making this law, now you nerds can go sort out the details".

There's one itsy bitsy issue with that whole "systemic weakness" thing. It's not defined in the law.

You'd think something like that would not be carelessly omitted by accident, no? What this means in practice is that virtually nothing they do will ever amount to that being a "systemic weakness", just like Obama kept saying post-Snowden revelations that there have been "no abuses" of intelligence powers and that nobody in the NSA did anything wrong (even after revelations of LOVEINT, etc came out).

An Australian government order for decryption could turn into another EternalBlue-type exploit affecting millions of PCs, and the government will likely still claim that wasn't a systemic issue because they "didn't intended it to be one" (as if spy agencies ever intend their backdoors to be used by rival nations - and yet that happens every time).

The problem is that you are reading it as though the words mean what a technical person means by "systemic weakness" (such as weakening the crypto in an app in order to target a user). This is not what the words mean (and this entire bill and discussion around it is full of Orwellian doublespeak -- they redefine the word "backdoor" to mean 0-day for instance).

The words aren't defined at all in the bill (which should be a massive red flag), but even the amendments that include definitions completely miss the point and basically imply that only something like Dual_EC_DRBG is considered a "systemic weakness".

There is a lot of doomsaying because it is very seriously, no-kidding bad. Not to mention that denying such a request should almost certainly be done with some very serious (and expensive) legal advice.

Obviously the section on disclosure doesn't involve talking to your own legal representation (there is common law on this already). But even if there wasn't common law covering this it's explicitly allowed in Sect 317ZF.3e. You can even reveal it in a legal proceeding under Sect 317ZF.3b.

Australia may be leading the path toward a Kafka-esque state but we're not there yet.

They legislated the power to hand a developer a $50K fine and put them in jail for 10 years for refusing. And you can't tell anybody else about it, for them to back you up with their technical input etc.

At the end of the day, if they tell you to do it, chances are you'll have to do it. And you can't complain to anybody.

As far as I can tell there isn't a criminal penalty for refusing, what version of the bill are you looking at? In the first reading and all the amendments I could see there is "just" a 230-odd penalty units fine (which is about $25k in NSW).

You must build a custom made back door. eg. Something like ProtonMail would need to inject some extra javascript so that the government could obtain a copy before encryption, I expect.

If I were to write some software of this nature these days, I'd make sure that the client would be aware of any changes in the api - sort of like a personal warrant canary. (Note that a warrant canary is legal in this legislation).

Warrant canaries are illegal in Australia, at least in the case of other kinds of secret warrants. I would be very surprised that a judge would (given the existing laws that have similar properties) consider a warrant canary legal.

(For those wondering how they can be illegal, in Australia it's illegal to state the existence or non-existence of certain kinds of secret warrants. So a statement of a canary is, itself, illegal.)

Right, I forgot to mention the statistics. Yes, you can publish statistics in 6-month windows -- which is kind of what warrant canaries are supposed to provide information about -- but I'd be surprised if the "cannot be broken down" might be used to restrict the usefulness of statistics...

I mean, a literal reading would allow you to provide minute-by-minute 6-month windows (or a new 6-month window each time you get a request) which could be used to get very detailed alerts each time a new request was given but obviously you'd get into hot water by doing that.

No, it would be an offense to make a statement about the existence or nonexistence of a journalistic information warrant.

But I believe the bill which passed actually includes the ability to publish aggregated statistics about how many notices you've received. Removing the need for warrant canaries.

(And you wouldn't have to be a citizen, just a subject of Australian law which means that you are either a citizen, are a constitutional corporation, or physically present within Australia. Same as any other nation's laws.)

This is another thing that adds to my deep sense of shame to live in this country (sadly, that list is long and growing).

This bill does nothing to prevent the kinds of things it is intended to prevent. The apps this law targets were engineered specifically to prevent this kind of interference. The idea that passing legislation will suddenly change that, magically allowing decryption of messages is beyond idiotic.

The legal and technical barriers to getting anything useful from this legislation are huge. Not to mention the ease with which this can be bypassed (run OpenVPN and IRC on an overseas server, done).

The justification for rushing this was so that Australia could be kept 'safe' over Christmas. It's beyond difficult to describe how ridiculous that is.

Edit: Sorry, I also have to add that in the same sitting of Parliament the government also filibustered legislation that would have enabled medical evacuation of refugee children from child detention on Nauru. It's been a bad day for Human rights in Australia.

So now any of the Five Eyes intelligence agencies can have a chat with ASIO and get them to coerce companies and individuals within companies to put these back doors in. Then they can all use the same back doors, so everyone living in the USA, UK, Canada, and New Zealand can have their encryption compromised and communications intercepted. There's no way that companies will create back doors specifically just for Australia, so everyone will have access.

In terms of Australia I'm not sure what we could actually do about this. Given that it's ASIO and other government departments that want these powers and that they have tried to introduce this sort of law over the course of the last decade. Both major parties have introduced legislation such as this and both voted for it. Maybe it is time for civil disobedience, and have everyone create and distribute encryption applications for all devices, because they couldn't possibly jail everyone right? I just wonder who will be the first person jailed or the first company fined for refusing these orders.

In terms of the world at large, which country should we trust now? A lot of the Western Democracies are becoming rapidly "security" focused authoritarian, and the other countries powerful enough to stand up to them are not much better. Should we trust applications with code written in Russia? What about hardware products manufactured in China? Should we trust services running in the USA? Now we also have to be wary of any company that runs a service in the Five Eyes countries.

Sometimes I wonder if we really have it better than people in the middle ages or other earlier periods, in some ways it clearly is, but in others it's just the same smell coming from different shit.

And then somebody from inside will get a guilty conscience, but remember what happened to Snowden, and just sell the backdoor straight to Huawei or NSO or Mohamad bin Salem (salving themselves by pretending they're going to donate hundreds of millions to "improving the world", but instead will by private islands and matching citizenships to Peter Thiel's...)

While America might have the Espionage Act, we have an law (passed a year or two ago) that gives mandatory minimum sentences of >15 years for revealing information about ASIO. And sharing the information (even if it's public) carries the same penalty -- so re-tweeting such revelations is a criminal offense. As is viewing it.

Chilling effect? More like dipped-in-liquid-nitrogen effect.

I hope Australia will have its own Edward Snowden, but the immediate repercussions would be far more severe in Australia.

Realistically, if you were a developer not in the chain of command and asked to do this: Would you? Could you?

You would be knowingly putting your name to a vulnerability, and if someone asks then you have to keep it a secret and feign incompetence. Then if they revert your change you'll have to re-implement it.

If you do tell your superiors (which would be most likely what would happen, even before writing the code) then you would be in violation and could be put in jail.

If you refuse you would be put in jail, or they would go to the next person in their list.

If you think about logistics they'd have to make contact with people in the company to even find out who the devs are who are capable of making a backdoor. That would probably tip off others in the company as to what was happening anyway. You'd think they'd essentially have to serve the whole dev team with the secret order.

I think you could immediately resign. It's not a slavery bill... is it?

I don't mean to be smug. It's just kind of sad to see what's happened to a country with enormous soft power. Same goes for the US.

I wish I knew more western countries who were defending privacy, and the environment for that matter. For a period it kind of looked like Germany _might_ but that hasn't stood up (Who knows, maybe the Pirate Party will get a chancellor someday). The Nordics don't seem amazing either.

What does that leave us with? Some rocky archipelago in the middle of the Pacific? Developing nations that simply don't care or lack the ability to have meaningful enforcement? I'm really struggling to think of something.

One of the best criticisms for the rushing through of this POS legislation was "if it's such a rush to get this done, why hasn't Australia's threat level been increased?"

The answer from the intelligence agencies is that there must be a known specific threat in order for the threat level to be increased (from "Probable" to "Expected")[0]

So, they're saying that it's important for this legislation to be passed for the sake of the safety of Australian citizens despite the fact there's no specific threat that's worth raising Australia's threat level for.

The government's primary goal is to protect itself and continue growing like cancer. In many ways the citizens are it's greatest threat because they can vote to cut budget and the power of the political elites. These laws are a way to increase monitoring of citizens so problems can be squashed before they grow too big and threaten the government.

Make no mistake, with the rise of ML governments will be able to crush social movements in the nascent stage before they become too big to stop. People will be arrested for thought crimes because they posted the wrong thing on the wrong website. And currently a large number of people would cheer because the people getting arrested are on the "other" side of the political spectrum. Be careful what you wish for

where? From what I've seen Europe, UK, USA, Canada, and especially China are all moving in this direction of more privacy intrusions. Considering the West has traditionally offered the most freedom for its citizens I'd say things are trending towards authoritarian governments

They have laws protecting individuals from companies, not the government. The GDPR has special exceptions for government investigations, and many EU countries have strong domestic spy agencies that spy on their citizens.

> This is another thing that adds to my deep sense of shame to live in this country (sadly, that list is long and growing).

I don't support this legislation, but I have to ask, which country is doing a better job on human rights issues than Australia in your opinion? Surely not China or nearly any country in Asia, Africa, or South America? Surely not the US? Probably not much of Europe?

It is an absolute national shame. MSF recently likened the mental health of the people on Nauru to victims of torture.[1]

The most disturbing aspect is the strong bipartisan and public support for the ongoing abuse. Every Australian should wake up in the morning, take a long hard look in the mirror and ask themselves if they're proud of what they've become.

My personal social circle and Sydney Inner West socailly aware bubble all thinks it's a disgrace, but I'm not kidding myself into thinking I'd need to go very far before I bumped into people who'd justify it to themselves as "necessary for the country", and not a lot further to find people actively and vocally celebrating the cruelness...

There have been slightly more encouraging signs recently that the tides are shifting, at least in my view. The rinsing the state Liberals got in Victoria after desperately pushing the openly racist and patently false "African youths are all gang members and everyone is afraid of being robbed" rhetoric, as well as the uptick in general awareness and number of protests makes me hope the publics apathy is morphing into a deep national shame.

That being said being a "coastal elite" in a progressive area isn't necessarily a good litmus test

Some people say the efforts by Liberal/Labor are to discourage a lot more refugees from overwhelming Australia. Resulting in increased crime, less jobs, etc. They acknowledge that some will suffer in the process.

Other points I noticed:
- Coming across as emotional about the harm and suffering on Nauru or escaping war, they will dismiss all arguments as immature and feel like they're being an adult to you.
- Some are persuaded by increased economic activity and net welfare investment benefits but want more screening but wouldn't know how to do this effectively.

Source: Asking random people about policies. Some people you can try asking: mechanics, tradies, checkout people, business people, asking people who handout stuff for Liberal/Labor. To get a deep understanding, read their sources, any of the Murdoch rags or right wing morning shows (ie Alan Jones).

Why does it matter? It's not a zero sum game, what others are doing is completely irrelevant to the question of whether or not what we're doing is disgustingly immoral (and it is, as far as I'm concerned.)

This is a classical‘whataboutism‘ trying to deflect from the real subject by bringing up another.
But keeping in line with that theme: what about detaining immigrants in Nauru, Christmans Island, Manus Island etc. under doubtful circumstances with no open access for press and NGOs?

If you are an Australian software engineer, you have one advantage that other nationalities do not: the E3 visa. It is a US working visa that is specifically reserved for Australians and consequently it is much easier to get than an H1B.

My advice is that the Australian tech industry just got nuked from orbit, so come work in the USA. The pay is better, the work is more interesting and the tech companies actually have sway over policy here.

I am not sure that migrating will help. If I read the bill right, it implies that every person providing any service used (or "likely to be used") in Australia is under legal obligation to insert these backdoors. I don't think it specifically mentions software developed in Australia.

The bill seems to be a nightmare - it even says that the technical assistance request can be given orally. What the bloody ....?

To me, it reads like this - if you're a Nigerian developer working in Germany and refuse to do this for some software (after all, every software is "likely to be used" in Australia), you are still breaking the Australian law. But you need not be prosecutable if Germany does not have an extradition agreement with Australia. If you are an Australian anywhere in the world however, then refusing this makes you a criminal, probably later a fugitive. This is my understanding. Can someone confirm?

Australia does not have the economy to force such a perverse violation of privacy on foreign business. If they try it, Google et al will be much better served pulling a Spain and blocking access in Oz than by complying.

The courts of most nations would laugh out the notion of extraditing their own citizens to Australia for hosting a website and not giving the AU government a backdoor to it.

the US has already been doing this stuff for a long time, without it being legal. They can always pressure you and threaten to ruin any engineer's life if they don't do what they want. and who do you think came up with this legislation? It's US Intelligence. Australia is their testing lab, just like Macca's does.

That is naive and simplistic. Sure, if you were hit by a car you probably won't be making a flight. But cancer? Elective surgery? Physical therapy? There are plenty of slow roll medical issues that can survive a 16 hour plane trip.

My experience was that the ATO did not consider me a tax resident. Basically if you've tidied up your Australian affairs, earn 0% in Australia and 100% in the US, they aren't totally bloody-minded. I did make sure to use a specialist tax agent though.

After ~3 years the IRS considers me a resident for tax purposes. The ATO only cares about my income because they want to collect HECS payments.

I am an Australian software developer and am currently getting https://www.lifepim.com ready for release which, funnily enough has the main selling point as "Your data is private, secure and free from adverts" - what a joke.

The scary part is not knowing how the law is going to be implemented - I am hopeful that smart people work on the implementation of it in terms of practicality.

If it is an on request thing "give us the details of terrorist@blah.com" then that is doable, but if they really want backdoor access to all accounts, then that is ridiculous amount of work and a lot of security risks to worry about.

Technically, it's not like a dictatorship at all. A dictatorship is a government where there's one person at the top with ultimate power. What you have really is more like a "cabal", much like China's government.

Realistically could we just setup all code to be hosted overseas and then pay a set of reviewers in Europe to check PR's for possible backdoors?
Don't think the law let's them compell you to build the backdoor in a super secret and hidden way...

If you're not an Aussie company, and don't have any staff in Australia, then it's a long reach for them to do something to you.

If you specifically reject all customers attempting to sign up from an Aussie IP address, or with an Aussie physical address (if you have that), then you're on pretty firm ground to tell them to piss off if they come knocking.

But, y'know, I'm not a lawyer, and you might be subject to whatever whims any country cares to hit you with. Get some legal advice before trusting some random internet comment ;)

I have to say, the coverage of this bill on the news has been atrocious.

I've seen zero discussion of the possible ramifications of losing all security companies in Australia. Any software company that depends on security (and which one doesn't?) would be insane in the membrane to think they could credibly work in Australia now.

All they are saying is "the bill was passed to access encrypted communications of terrorists and criminals".

No discussion of no judicial oversight either.

News orgs are shooting themselves in the foot because there's no possibility of a journalist protecting their sources anymore with this nightmare.

To anyone with a business from anywhere else in the world. Yes please do, publicly and loudly, cease to deal with us (Australia) due to the very real possibility that all of you private and commercially sensitive communications will be monitored and recorded (Also given the five eyes agreement shared with other countries.) Australia already have a history of using their spy services for commercial gain. https://en.m.wikipedia.org/wiki/Australia%E2%80%93East_Timor...

As an Australian dev, I concur. I would rather our tech industry die (and I end up digging holes in a coal mine for a living) than have this country become a global spy hub used by governments to subdue their citizens.

They have to attempt to keep Apple from learning about it, as I understand it. I wonder what steps Apple will take to bar this kind of eventuality. If an employee makes a good faith attempt to comply with this request, which is then blocked by the overseas manufacturer, can they throw their hands up and say, "Well, I tried!"? Would this allow them to avoid the $50k fine and 10 years in jail the Government can hand out for not complying?

Cutting loose ~25million potential customers might actually be a financially rational for some companies. It's not like we here in Australia are really a very big market on the global stage...

Won't surprise me at all to find some businesses (like perhaps Whisper Systems) who's "doing business in Australia" doesn't actually earn them a single cent, yet will open them up to enormous reputational damage if they continue operating in Australia after this, might just choose to take thier app/service out of the .au app stores...

If they want to continue doing business in Australia (and they very much do)

Meh. 25 million people, and not a top ten economy. Australia has a powerful reality distortion field that makes it seem more important than it is. Must be the tourist marketing and the fact that it punches above its weight in producing successful entertainers.

It’s more likely that WhatsApp and other encrypted messaging apps will just get pulled from the Australian App Store (if the Australian App Store remains in place, since it’s likely to be chosen as a distribution vector for compromised software).

The population isn't a relevant part of the argument, Mexico has 130 million people and has a smaller economy than Australia. After the top 6 or 7 economies, the next 6 or 7 are all comparable in size.

But more importantly, because of the high GDP per capita and low income inequality, Australians are wealthy with lots of disposable income. And so most international marketplaces see disproportionately high amounts of Australian spending when considering population size.

For instance, where I work, the top 5 spending countries are the US, Canada, Australia, UK, China in that order.

From the Bill itself "A person is a designated communications provider if...

4 the person provides an electronic service that has one or more end-users in Australia

5 the person provides a service that facilitates, or is ancillary or incidental to,the provision of an electronic service that has one or more end-users in Australia

6 the person develops, supplies or updates software used, for use, or likely to be used, in connection with:(a) a listed carriage service; or(b) an electronic service that has one or more end-users in Australia"

I believe ProtonMail falls into these categories. As an Austrlaian and a user of your services myself, will this mean getting service "officially" cut off in Australia?

They’re Australian but have offices in other countries. I believe they would move for the right reasons. This seems like a pretty big reason, considering they’re targeted at enterprise. But move where? UK will have this next, America does this without any laws at much greater effect and scale.

California. I had to agree to some changes to their ToS the other day (for Bitbucket) in which I agreed to dispute resolution under California law. I suppose that's a pretty good indication of their thinking. It's not like this legislation is unexpected or sudden.

Atlassian is still very much based in Sydney. The CEOs (there's two joint CEOs), vast majority of the engineering teams and more are all just down the road from me. As with most large international tech companies, they have a number of different legal entities for regulatory, tax and other reasons.

Trello is based in NYC. I don’t know the actual corporate structure, but they could potentially be spun into a controlled company, maybe, to avoid this law somehow.

To be honest, Trello is the least of your worries, with Atlassian. Authorities having unfettered access to all your code, regardless of privacy settings, is more worrying imho. Then again, GitHub is US-based and the PATRIOT Act already gives that power to US authorities, so if you care about that, self-hosting in the only way.

As an Australian software developer who has written encryption software in the past, I'm also very concerned. I'm also doubly concerned that projects will now reject my patches because of my nationality. What an amazing shitshow of a government.

They are in Five Eyes, were instrumental in Echelon, illegally raided Dotcom... NZ is a beautiful country, but one of the weakest-willed in international terms. (Also, by all reports, internet connectivity sucks big time).

NZ actually took inspiration from our (Australia's) fibre-based national broadband network back in 2010 or so (before the current Australian Government got in and turned it into an absolute farce - instead of a new fibre network it became an upgrade to the existing old copper network, which is basically a few years off end-of-life, with the change supposed to save billions but that somehow managed to cost just as much money in the end).

As a result you can get gigabit fibre in places on their UFB network for a similar price we pay for 50-100Mbps.

I think many surveillance measures in NZ are too strict. In 2015, I remember being shocked at the fact that public buses in Wellington have audio recordings on, in addition to video surveillance. I get the feeling that NZ is one of the first testbeds for new surveillance measures.

Also, broadband connectivity is very poor (compared even to India, where I live).

if you're going to move you really should get out of the anglosphere because the US is dragging down everyone with it and there's just not enough sentiment amongst the populations to move away from the US, even now.

Switzerland probably remains the best country in the world and has strong privacy laws and a culture of neutrality. As a plus you get to be in Europe. Tech salaries are high. The anglosphere nations lack the intellectual capital amongst the population to remain critical of encroachments of privacy in the name of protection from terrorists.

The difference is the type of person that would do it for cash likely has other personality traits that make them at least somewhat easier to spot. If this could compel upstanding, trustworthy individuals to do the same, that's a bit harder to handle.

No. People work in jurisdictions other than their own with potentially conflicting laws all the time. If it worked the way you seem to be suggesting it does, nobody, never mind Australians, would be able to work outside their home municipality at all.

If an Australian developer was served with a Technical Capability Notice to build a backdoor, and then submitted code to be analysed by a third party who found it, the developer would literally be liable to be jailed for 15 years and a $50K fine for individuals or $10 million for companies.

The law requires us to deliver exploits secretly and lie to everybody about it.

I'd recommend actually reading the bill to form your own conclusions. The main problem is that it mostly is a series of amendments, and many of them are quite unrelated.

Most of the discussion is about the Technical Capability Notice section (which allows the government to compel a telecommunication provider, under threat of 5 years imprisonment, to create the ability to access communications otherwise inaccessible) but very few people are talking about the Computer Access Warrant sections...

And it's possible for employees to be forced to do this, and you cannot reveal information about these technical notices to your employer -- in fact you are given immunity from civil persecution precisely for this reason. So you now have to sabotage your employer because of an order by the Australian government. Good luck keeping your job.

The most insidious part to me as a programmer, is the definition of a "Designated Communications Provider" which (amongst others) includes (S317C, item 6):

"the person develops, supplies or updates software used, for use, or likely to be used, in connection with:
(a) a listed carriage service; or
(b) an electronic service that has one
or more end-users in Australia"

and the "eligible activities" are:

(a) the development by the person of any such software; or
(b) the supply by the person of any such software; or
(c) the updating by the person of any such software"

I haven't read the whole thing, but my favorite part so far is 317E (1)(c), which says that the "listed acts" (the things the government can require you do to) include "installing, maintaining, testing or using software or equipment".

In other words, they can just hand you a flash drive containing malware and force you to install it. You're not allowed to say no, and you're not allowed to tell anybody.

I very well may end up reading the whole thing, but that's partly why i'd actually like an expert summary, because my understanding is that these are amendments to existing legislation, and as a non-expert, the ability for me to be able to understand all the other legislation and implications that it works with is probably pretty close to zero...

State police forces are getting these powers. So state police, federal police and ASIO can compel devs to break their security for the investigation of any crime that attracts a penalty of 3 years jail or more.

I do not have one. I'd also love one apart from the aph one below. (It's good btw)

What I believe, is that this bill is heavily influenced by the emerging UK law, by experiences failing decrypt on devices, a pervasive sense of panic and an election year.

Australian police and security have form here asking big when they know the outgoing government is their last chance that gets big wins. Australia card (digital ID) died in labor (party) days. Censorship died in Conroy's day (labor)

Anti corruption body changes which would actually help material cases in official corruption are being opposed and we're fed "think of the children" KP arguments which are "when did you stop beating your wife" dog whistle politics.

Is there a real problem with decrypts on bad people electronic comms? Sure. Will this law stop that? Nope.

The government has effectively made it possible that anyone and everyone who develops software or hardware used by anyone in the country, or where they feel national security comes into play, must compromise their software, and tell no one.

They can ask any intern to break the software, and not tell their employer.

It's bad enough to have a gaping hole in your security, but now they can ask people who have no idea what they're doing to create a backdoor.

All Australian software has now been rendered completely untrustworthy, and when those compromises in security are found, by the nation states who now know that Australian software will have holes in it, it will result in the very thing that this bill claims to prevent.

Our infrastructure has been opened up for attack, by any of our neighbours who have a reason to do so, whilst simultaneously gutting the economy of IT in Australia. Who wants to buy shitty backdoored Chinese software? It's the same now for Australia.

Australia's government has now opened the door for widescale cyberterrorism to have a chance at wreaking destruction.

Remember that the Australian Government (whatever party happens to be in power at the time, it doesn't matter which) doesn't want technology or innovation in this country. They only want the value of dirt to remain high. So that buildings remain valuable and that we can export more natural resources.

National Security Letters can't compel engineers/companies to do pretty much anything. National Security Letters can only request non-content information. A NSL also can't compel the gathering of additional non-content information beyond that already being gathered.

So a NSL could request the records for who you are sending encrypted messages to but not the content of the messages and if your messaging provider can't or doesn't already gather that information they can't be compelled to start gathering such information.

If a NSL requests information which the recipient believes violates that guidelines of information which can be requested they can disclose the NSL to legal counsel and challenge the NSL in court.

I live in Australia and this is the dumbest bill I have ever seen in parliament. Australian politicians have no clue what the fuck they have just done. Rushed through in less than four days so they can go on holidays. Bigots.

As far as stupid laws go, Australia defines "child pornography" to include drawings and stories of fictional characters, to the point where a man was convicted of possessing "child pornography" in the form of nude characters from The Simpsons, and a man in prison was convicted of producing "child pornography" for writing a story involving the rape of a young girl. England and Wales, Canada, NZ and France have similar laws on such imaginative artwork.

I'm pretty sure it's still illegal to show a naked mannequin in Tasmania.
There are plenty of stupid laws on the books.
This is one. For sure!
But read the guardian blog from today.
The opposition is avoiding having to fight against "Mr. Stop the boats.".

And as for rushed through. Lots of stupid shit took a ton of time. Like the marriage survey that could have been done in 15 minutes.

They voted for it to cover Bill's ass on the last day of parliament and 2 weeks of Dutton and ScoMo getting dumb people scared about Xmas.

The amendments to this stupid act do gut a lot of the stupidities (not completely), so the pressure now is to make this (and the Nauru re-settlement) the only thing that the ALP allows on the first days of parliament next year.

Can't write the guide for you, but the raw material can be found here (and other places): http://www.ipdeny.com/ipblocks/data/aggregated/au-aggregated...
That's a list of the (current) IPv4 Australian blocks. Each value (e.g. 1.0.4.0/22) can be used directly as a parameter for iptables on Linux, e.g. /sbin/iptables -A INPUT -s 1.0.4.0/22 -j DROP
(to really block any communication - or use REJECT instead)
A script to walk through the file works fine.

As an Australian citizen who has spent many years in the US, I can say that this law is in line with the main ideology of the Australian government: extreme parentalism. You run a red light: fine for $450 in the mail. No court date, no arguments. You exceed the speed limit by 5km/h: $200 fine in the mail. No arguments. It is brutal but it's hard to deny that it works. Australia has some of the lowest per capital road deaths in the OECD. The problem is that the government wants to regulate the internet the say way they regulate road traffic. You can read up all the idiotic attempts here: https://en.wikipedia.org/wiki/Internet_censorship_in_Austral... I wonder if this means Australia will have the ability to ban apps like Telegram from the app store?

In regards to being fined for 5 km/h over the limit, there's no evidence that small increases in speed over the limit contributes to accidents. It's excessive speed that kills, like going 100 in a 60 zone. The other big killer is distraction and driver fatigue.

As for red lights, I'm fine with the strict rules there. I've almost been hit walking across the road by red light runners.

To be fair, I got a fine in the mail years ago for stopping in a no stopping zone. (Couldn't find a carpark and had a screaming baby in the back) The notice says you can contest in court, which I did and got off. That was back as a student, it wouldn't be worth my time to take a whole day off anymore. :(

This is a big deal for people of all countries as the major tech firms will quickly build-in the required backdoors to stay in compliance -- and they won't just be there for Australian citizens; they'll be there for all of us.

Yep, we already blogged about this. It's shit legislation, but it is unlikely to affect our customers at all. Public perception on the other hand, it's going to hurt that plenty.

Like basically all of Australian tech right now, we're super disappointed in our politicians and their games. I spoke to a couple of senators' offices today, and they were sure it would die in amendment hell. Genius.

Email is already insecure. Even if you use GPG, that's client side, and should be as safe/unsafe as it was before this law (unsafe b/c metadata or unknown vuln). So in terms of threat model, it hasn't changed much.

I'm not defending the Oz gov or companies here, but knee-jerk reactions just open you up to more mistakes. For me, the situation is still preferable to Google having my data/metadata.

The Australian state now behaves exactly like an enemy of the people would. In the same way I would not use an e-mail provider in Iran, North Korea, the US or other facist regimes I will now also not use an Australian e-mail provider.

ProtonMail is indeed great and offers a bridge for use with IMAP-compatible programs. Check out https://protonmail.com/bridge/. I believe they are working on a more integrated solution, but no news of when it'll be out have been announced.

I believe HN has a flame war detector that trips when the number of comments is greater than the number of votes, and pulls the submission off the front page. (I haven't looked, but this is probably what happened to the Google post as well.)

Since it's back on the front page now, I'd guess that the HN mods decided that this was important and un-tripped the detector.

Obviously this law and ones like it have no place in a modern, free society, but in regards to the risk with using business apps, it's just the same as before. You can not trust app's from companies incorporated in the five eyes [1]. If you are using a product made in any of the five eyes you are already compromised. By compromised, I mean you can be almost 100% sure that if the owner's of those countries want your data they will get it, and they will get it easily too. They do not need warrants, courts or judges to sign of on anything and haven't done for a long time.
To clarify my position on this. Whether a law like this is actually passed or not, you should assume that every company incorporated in these countries have been forced to place backdoors in their systems. I'm not saying that every company has done this. I'm saying you should assume they have.

I should have said the confiscation (mandatory bayback) started with all semi-automatics and pump-action in 1996.

WRT pistols, the pistols that are allowed, have less lethal power than bow and arrow (if the below excerpt is correct).

"....

they can then attend at a licenced firearm dealer and select a handgun which is suitable for the competition in which they intend to take part. This firearm may be a single-shot air pistol, a single-shot .22-calibre pistol or a .22-calibre revolver or self-loading pistol.
…"

Australian gun control is completely unrelated to this debate. You can still get a gun license fairly easily, and it solved an actual problem (there hasn't been a mass shooting since).

I would argue that the passing of the antiterrorism acts in 2005 was a far more severe issue than the 2016 bill -- they basically removed hebeas corupus. Shit's been going on for much longer than you think.

Officially, they can’t, but you can be absolutely certain that iMessage, WhatsApp, Signal and Telegram are going to be immediately targeted with TCNs (technical capability notice), requiring them to bundle Australian government spyware and requiring that those apps send all conversations to the spyware.

This isn't quite true. The bill allows companies to provide statistics on how many TARs, TANs, and TCNs they've been served within a 6-month window. The obvious problem is that nothing stops them from lying or just omitting that information -- because why would you admit that your software is insecure?

These backdoors are going to be the worst code possible. What kind of crap quality code do you think a single dev under threat of jail time and the pressure of not being able to communicate with his co-workers or legal representation is going to pump out?

They can't provide specifics only ranges. In Division 6, section 317ZF, Unauthorized Disclosure of Information, section 3) subsection 13) a person forced to do one of these TAN/TCN/TCR things can release a count of how many of these TAN/TCN/TCR things. BUT Note: This subsection authorises the disclosure of aggregate statistical information. That information cannot be broken down (a) by agency; or (b) in any other way.

So Division 6, section 317ZF (3) (13) is the ONLY way someone can tell the world what is happening.

Does this mean that they can only mandate the backdooring of a user's communication if they know who the user is? Doesn't that seem irrelevant to the concerns they've raised in the past of having apprehended a suspect but been unable to decrypt their previous communications?

Not legal in Australia unfortunately (it's a bit more nuanced, but many types of secret warrants are already immune to warrant canaries -- so I'm sure a judge would see that these types of secret warrants probably have the same protections). However they do allow statistical information on how many requests they received in a 6-month window.